VYPR

npm · Malicious package advisory

Malware

grateful-checkout

MAL-2026-5444

Malicious code in grateful-checkout (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c2a9600ad3ee3fddd9f06425260c94edf660263800080787155a63d3e5212d12)
On `npm install`, the postinstall hook in src/canary.js performs a DNS lookup and an HTTPS GET to a serveo tunnel host (`96e03fa6c292469a-172-245-86-254.serveousercontent.com/canary-install?pkg=...&ver=...`), leaking the installer's source IP and the resolved package name/version to a third-party endpoint without consent. The package's README falsely claims that no data is collected or transmitted. The package additionally impersonates the API surface of an internal Exodus checkout-signing module (`generateMnemonicSigningKeys`, `signDirectPaymentMultiChain`, `signCapture`, `signRefund`, `signCharge`, `signCancelSubscription`) to land via dependency confusion against private name resolution. While self-described as a security research PoC, the behavior — uncontracted outbound network from a lifecycle hook to a researcher-controlled tunnel and namespace impersonation of a private package — is installer-harming regardless of intent.

Compromised versions (1)

  • 99.0.0-canary.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.